Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1161479 - HR size operation requires ADMIN permission
HR size operation requires ADMIN permission
Status: CLOSED CURRENTRELEASE
Product: JBoss Data Grid 6
Classification: JBoss
Component: Server (Show other bugs)
6.4.0
Unspecified Unspecified
unspecified Severity unspecified
: CR1
: 6.4.0
Assigned To: Tristan Tarrant
Martin Gencur
:
Depends On:
Blocks: jdg64-GA-Blockers
  Show dependency treegraph
 
Reported: 2014-11-07 03:29 EST by Vojtech Juranek
Modified: 2015-02-22 19:00 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously in Red Hat JBoss Data Grid, the Map/reduce task missed security actions. As a result, users could not use the Hot Rod size() operation via the map/reduce approach unless they had ADMIN permissions. This issue is now resolved in JBoss Data Grid 6.4 by adding the required map/reduce security actions. As a result, users with EXEC permissions can now execute map/reduce operations as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vojtech Juranek 2014-11-07 03:29:37 EST 
Executing size operation via HR client requires ADMIN permission, while it should require BULK_READ. Having e.g. supervisor role with BULK_READ permission, size operation fails with 

testSupervisorWriteRead(org.infinispan.server.test.client.hotrod.security.HotRodPlainAuthLocalIT)  Time elapsed: 0.029 sec  <<< ERROR!
org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
        Principal: SimpleUserPrincipal [name=supervisor]
        Principal: supervisor@ApplicationRealm
        Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1]
        Principal: 127.0.0.1@ApplicationRealm
        Principal: supervisor@ApplicationRealm
        Principal: supervisor
' lacks 'ADMIN' permission
        at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:284)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:86)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:72)
        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
        at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:42)
        at org.infinispan.client.hotrod.impl.operations.StatsOperation.executeOperation(StatsOperation.java:22)
        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50)
        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207)
        at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSize(HotRodSaslAuthTestBase.java:156)
Comment 3 Vojtech Juranek 2015-01-06 10:18:03 EST 
Still getting error when running size operation on remote cache:

testSupervisor(org.infinispan.server.test.client.hotrod.security.HotRodKrbAuthIT)  Time elapsed: 0.073 sec  <<< ERROR!
org.infinispan.client.hotrod.exceptions.HotRodClientException: java.security.PrivilegedActionException: java.lang.SecurityException: ISPN000287: Unauthorized access: subject 'Subject:
        Principal: supervisor@INFINISPAN.ORG
        Principal: supervisor@ApplicationRealm
        Principal: supervisor@ApplicationRealm
        Principal: supervisor
        Principal: SimpleUserPrincipal [name=supervisor]
        Principal: InetAddressPrincipal [address=127.0.0.1/127.0.0.1]
' lacks 'ADMIN' permission
        at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:298)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:88)
        at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:74)
        at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
        at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:29)
        at org.infinispan.client.hotrod.impl.operations.SizeOperation.executeOperation(SizeOperation.java:13)
        at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:50)
        at org.infinispan.client.hotrod.impl.RemoteCacheImpl.size(RemoteCacheImpl.java:207)
        at org.infinispan.server.test.client.hotrod.security.HotRodAuthzOperationTests.testSize(HotRodAuthzOperationTests.java:178)
        at org.infinispan.server.test.client.hotrod.security.HotRodSaslAuthTestBase.testSupervisor(HotRodSaslAuthTestBase.java:116)
Comment 4 Vojtech Juranek 2015-01-06 10:51:36 EST 
Fails also for clear() and putAll() operations. Supervisor has following permissions which should be IMHO sufficient to perform these operations:

<role name="supervisor" permissions="READ WRITE EXEC BULK_READ BULK_WRITE"/>
Comment 5 Sebastian Łaskawiec 2015-01-09 10:43:17 EST 
PR: https://github.com/infinispan/jdg/pull/430
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.